[Libwebsockets] Convenience functions for JWTs

Andreas Weigel andrweigel at googlemail.com
Thu Mar 11 23:32:43 CET 2021


Hi,

I'm using libwebsockets to create/sign and send JWTs to different 
providers, which do not all expect the header fields (and are really 
picky when they do not get one they expect "x5t" header or "typ" or 
whatever header). There's two things I encountered and couldn't solve 
directly:

1) x5t in JOSE header (base64url-encoded sha1sum of DER of certificate 
used for signing); I couldn't find any way to with lws_x509_cert to 
either get this fingerprint directly or to get at the DER representation 
in a buffer -- for now, I just used mbedtls directly to produce what I 
needed, which sadly does away with the cryptolib independence.

2) Adding header values to the JOSE header. I used lws_jwt_sign_compact 
but it does not allow for the addition of any header values besides 
"alg". For now, I just copied the function and replaced what I needed.

Did I miss something somewhere?

I'm ready to provide some patches to add the functionality, but I'm not 
quite sure about the best approach.

For 1) I would image to either add a function directly to retrieve a 
fingerprint, or offer a function to expose the DER representation as a 
buffer directly?.

For 2) I thought one could add a function along the lines of

lws_jwt_sign_with_header(struct lws_context *, struct lws_jwk *, struct 
lws_jose *, char *out, size_t out_len, char *temp, int tl, const char 
*format, ...);

and then using lws_jose_render to produce the JSON but then I noticed 
that apart from "lws_jws_parse" there's not much to conveniently fill 
that structure (again, am I missing something?). I thought abut passing 
an LWS_COUNT_JOSE_HDR_ELEMENTS-long array, with values or NULL at the 
corresponding indices. Finally, I thought it would probably be easiest 
to just let the user pass a buffer containing the complete JSON of the 
header he wants, parse it via lws_parse into a jose-struct to sanitize 
the input and if ok, just copy it to the corresponding lws buffer. What 
do you think?

Andreas



More information about the Libwebsockets mailing list